The present invention generally relates to the field of secure communications encompassing encryption and decryption for controlling access and preventing unauthorized access to licensed and proprietary information.
Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications over networks. A common implementation for SSL is Internet applications including web browsing and electronic mail. Another common application for SSL is video distribution for cable television.
SSL enables client/server applications to securely communicate across a network. SSL is designed to prevent unauthorized eavesdropping, tampering and message forgery.
SSL uses cryptographic techniques to provide secure communications between a client and a server. SSL provides (or incorporates) authentication procedures for verifying client and server identity. SSL supports unilateral authentication where only the server is authenticated or bilateral authentication wherein client and server are both authenticated.
Communication via SSL includes algorithm negotiation, certificate verification, key exchange and data transfer.
For SSL algorithm negotiation, a client requests a secure connection with a server and communicates a list of supported cryptographic algorithms to the server. The server selects the most secure cryptographic algorithm from the supplied list and communicates the selection to the client.
For SSL certificate verification, the server communicates its identification to the client in the form of a digital certificate. The digital certificate contains the server name, a trusted certificate authority (CA) and the server's public encryption key. The client then communicates with the trusted CA to confirm the identity of the server. For bilateral SSL communication, the server verifies the identity of the client via a trusted CA in a similar manner with the client communicating its digital certificate, trusted CA and public encryption key.
For SSL key exchange, the server and client exchange keys for the encryption and decryption of the data which is to be transferred. For SSL data transfer, client and server use previously exchanged encryption/decryption keys for secure transfer of data. While not impenetrable, SSL does provide a highly secure transfer of information.
Digital Rights Management (DRM) is a term referring to access control methods used by copyright holders, media distribution outlets and publishers for restricting access to digital content and devices to entities which are authorized access. The DRM associated with a particular piece of digital data may provide: a set of access rights, e.g., can the receiver of the digital data access the digital data, and if so, how many times; and a set of copy rights, e.g., can the receiver of the digital data copy the digital data, and if so, how many times. DRM is deployed in order to prevent the unauthorized viewing, copying and/or distribution of digital content.
In practice, many widely used DRM systems have been defeated or circumvented following large scale deployment. Conventional DRM systems are generally designed such that keys used for secure data exchange are made available via an unintended access point provided by a system's hardware and/or software.
Conventional hardware and software are designed to allow system designers, manufacturers and users to implement system debugging, testing, configuring and diagnostics. While these capabilities increase system efficiency, they enable unauthorized access to keys used for encrypting and decrypting digital content. Hackers can use the access points provided by hardware and software to gain unauthorized access to digital keys and content.
A conventional video distribution system provides digital video content to end users. Digital video content is communicated, for example, to a Set Top Box (STB) located at the user's premises. Hardware and software located in the STB determines whether an end user is authorized to view digital video content based on the license agreement (associated with a DRM) between the end user and the video distribution proprietor. STBs are not easily portable and reside on the end user's premises and are generally operational only when located on the premises.
A Portable Media Player (PMP) may be connected to the STB for downloading and future viewing of digital video content from the STB. A PMP may be transported to locations outside of the end user's premises. An end user may view digital video content subject to the license agreement whether or not the PMP is located at the end user's premises.
In addition to using SSL for secure communication between a STB and a PMP, digital video distribution systems encrypt and decrypt the digital video content using a specific predetermined key to unlock the content, i.e., a Content Key (CK). CKs, along with the encrypted digital video content, are communicated between STB and PMP via SSL communications.
FIG. 1 illustrates an example of a conventional video distribution system by which a user can request video for viewing and for controlling the operation of the displayed video.
A video distribution system 100 includes a STB 102, a STB user interface 104, a communications link 106, a communications system 108, a display 110, a channel 112, a PMP 114, a communications channel 116, a display 118 and a PMP user interface 120.
STB 102 communicates with communications system 108 via communications link 106. Communications link 106 provides bi-directional communication between STB 102 and communications system 108. STB 102 is able to receive control, status request, configuration and data information via communications link 106. Additionally, STB 102 is able to transmit to communications system 108 via communications link 106.
STB user interface 104 is located on the front assembly of STB 102. STB user interface 104 provides status information to users (not shown) and provides users limited ability to control STB 102.
Display 110 is connected to STB 102 via channel 112. Video information provided by STB 102 is transmitted via channel 112 to display 110 and is viewed by users.
PMP 114 is connected to STB 102 via communications channel 116. Display 118 is connected to PMP 114. Users are able to view video on display 118. Video is provided to display 118 by PMP 114. Video is provided to PMP 114 by STB 102 via communications channel 116. PMP user interface 120 is connected to PMP 114. PMP user interface 120 enables users to configure and control the operation of PMP 114. A primary function of PMP user interface 120 is to enable users to request video for viewing on display 118. PMP user interface 120 also enables users to control the video viewed on display 118. Users can use PMP user interface 120 to start, stop, pause, fast forward and rewind digital video content.
Proprietors of video delivery systems desire a secure way to deliver digital video content to their customers. Unauthorized access to keys or data can result in lost revenue for proprietors. The following discussion related to FIG. 2 will further explain conventional security measures related to conventional video delivery systems.
FIG. 2 illustrates an example of conventional secure communications between STB 102 and PMP 114. STB 102 includes a data processing and storage portion 201, a digital rights management portion 203 and a CK generating portion 205. CK generating portion 205 is operable to generate a CK 206. Digital rights management portion 203 is operable to manage digital rights of content as STB DRM 204. Data processing and storage portion 201 is operable to process and store data for use by STB 102 and PMP 114. PMP 114 includes a processing portion 207, which includes a CK receiving portion 208 and a digital rights management portion 209. Processing portion 207 is operable to process data received by STB 102. CK receiving portion 208 is operable to receive CK 206 from STB 102. Digital rights management portion 209 holds PMP DRM 210, as will be discussed in more detail below. PMP 114 is able to request and receive information from STB 102 securely via SSL 202. Unauthorized decryption of information is difficult via SSL, but possible by accessing internal electronic connections of PMP 114.
PMP 114 and STB 102 communicate bi-directionally via communications channel 116 as illustrated in FIG. 1. PMP 114 and STB 102 communicate in a secure manner via SSL 202 as illustrated in FIG. 2.
As illustrated in FIG. 2, a data 200, a STB DRM 204 and a CK 206 are located in data processing and storage portion 201, a digital rights management portion 203 and a CK generating portion 205, respectively, of STB 102. STB DRM 204 establishes rights for data 200. Such rights may dictate whether (and how often) an entity may play or copy data 200. Data 200 includes content data that is encrypted with CK 206. The encrypted content is sent to an authorized entity (upon request) with CK 206. The authorized entity may then unlock the requested content data with CK 206 in order to play and/or record the content data in compliance with the rights provided by STB DRM 204. A PMP DRM 210 is located in PMP 114.
Data and encryption keys within conventional video distributions systems, as illustrated in FIG. 1 and FIG. 2, are vulnerable to being compromised via unauthorized access. As a result of compromise, data may be used by unauthorized entities or may be used inappropriately by authorized entities; by accessing the data in an unauthorized manner during time periods in which they are not authorized to have access or by accessing more times than they are allowed per the licensing agreement.
An access point which persons commonly attempt unauthorized decryption of information being transmitted between STB 102 and PMP 114 is located on SSL 202, represented as an attack point 212. Another point in which persons commonly attempt unauthorized decryption of information being transmitted between STB 102 and PMP 114 is located at PMP 114, represented as an attack point 214.
For example, an end user or application, generates a request to obtain content from STB 102 via PMP 114.
SSL algorithm negotiation, certificate verification and key exchange are performed between STB 102 and PMP 114. A request for data 200 is transmitted from PMP 114 to STB 102 via SSL. STB 102 receives SSL encrypted request for data 200 and decrypts the request. After decryption, the request is communicated to STB DRM 204. STB DRM 204 provides digital rights management for STB 102. STB DRM 204 functions to determine whether a request meets license agreements and therefore, is to be made available to the requestor.
STB DRM 204 receives a request for data 200. If STB DRM 204 deems end user's request is valid, then STB DRM 204 encrypts data 200 using CK 206 and then provides CK 206 and the encrypted version of data 200 to PMP 114 via SSL 202. The encrypted version of data 200 from STB DRM 204 includes digital rights, which may dictate whether data 200 may be copied (by what and how often) or played (by what, when, and how often).
PMP DRM 210 receives CK 206 and data 200 transmitted by STB 102 via SSL 202. PMP DRM 210 uses the copy of CK 206 from within CK receiving portion 208 to decrypt data 200. PMP DRM 210 parses the content of data 200 to determine its type and function. PMP DRM 210 functions to determine whether a request for data meets license agreements and is to be made available. If PMP DRM 210 deems a request is valid, then PMP DRM 210 provides data 200 to end user.
Attempting to gain unauthorized access to information transmitted between STB 102 and PMP 114 is very difficult as SSL provides a high level of security protection. However, as briefly mentioned above, unauthorized access to information transmitted between STB 102 and PMP 114 with conventional systems is possible by gaining access to internal electronic connections of PMP 114 and through observation of unencrypted information on the internal electronic connections.
Such unauthorized access to keys and data will now be described with reference to FIG. 3.
FIG. 3 illustrates an example of a conventional hardware design and configuration for PMP 114. PMP 114 includes a processor portion 300, a processor portion 302 and a display 304.
Processor portion 300 is arranged to receive SSL session data from SSL 202 by way of a communication line 306. The SSL session data for PMP 114 includes includes encrypted content requested by PMP 114, keys (to decrypt the content) and digital rights. Processor portion 302 is arranged to receive unencrypted data from processor portion 300 by way of a communication channel 308. Processor portion 302 is operable to process the data for delivery to display 304 via communication channel 310.
SSL 202 securely delivers the SSL session data to PMP 114. However, for conventional PMP 114, unauthorized access can be gained to unencrypted and decrypted data and keys once the SSL session data is delivered to processor portion. In particular, once the SSL session data is delivered to processor portion 300, a person may successfully hack into processor portion 300 to obtain the encryption keys, content or digital rights.
The unauthorized content and encryption keys can then be used, enabling unauthorized viewing of video on PMP 114. Additionally, unauthorized access to encryption keys can facilitate the unauthorized viewing of video on PMPs other than PMP 114.
What is needed is a system and method for preventing unauthorized access to data and keys located on a PMP.